(Part 1 of 3) Business Continuity Planning (BCP) and Disaster Recovery (DR) Planning for Commercial Banks of Nepal: BCP Policy, Hazard Identification, Risk Assessment, Vulnerability Reduction and Emergency Response

In today’s world, the banking and financial sectors play vital role in economic growth, stability and sustainability of a country. They are expected to provide 24/7 continuous and reliable services to an array of customers and stakeholders. However, one cannot deny the fact that banks and financial institutions are susceptible to internal as well as external threats such as fire, explosion, earthquake, pandemic, blockade, fuel shortage, severe storm, landslide, flood, fraud, cyber-attack, power outage, system failure, etc.

These hazards are capable of causing various kinds of risks (including financial, operational, legal, reputational, etc.) and may lead to severe business disruption; sometimes even cripple the financial system as a whole. 

As the country suffers the financial blow of COVID-19 pandemic, it is obvious that more than ever before we need to integrate sound and effective Business Continuity Management (BCM) practices within our banks and financial institutions. One of the tangible ways to ensure whether an institution has embraced BCM is to see that it has a ready and workable Business Continuity Plan (BCP) addressing all critical aspects of banking and financial activities pertaining to people, process, infrastructure, facility and technology. 

Nepal Rastra Bank (NRB) released its “Nepal Rastra Bank Information Technology Guidelines” in August, 2012. The core objectives of these guidelines are to promote sound and robust technology risk management and to strengthen system security, reliability, availability and business continuity in commercial banks of Nepal.

Under the title “Business Continuity and Disaster Recovery Planning” the guidelines set some specific requirements for the banks with relation to BCP policy, roles & responsibilities, risk analysis, vulnerability reduction, disaster response, business impact analysis, recovery strategy, datacenter, backup sites, resumption of business processes, training, testing and updates.

Disaster preparedness and disaster mitigation are the key planning aspects of any business continuity and disaster recovery effort. Disaster preparedness involves the activities performed prior to a disaster to support and enhance disaster mitigation measures. On the other hand disaster mitigation includes the action plans and activities to eliminate or reduce the effects of a disaster after it occurred.

Eventually, a BCP bundles together all the documents required for an effective execution of hazard identification, risk control, disaster response and business recovery to re-establish critical business functions after a disruptive event, such as a massive earthquake or the failure of a firewall security system.

The business continuity and disaster recovery planning requires some serious commitment and dedicated efforts from the executive leaders of the commercial banks. However, such efforts are more likely to be successful if they have the support of those in senior leadership positions. This is all the more so because at the end of the day board of directors and senior management are responsible for the bank’s business continuity.  

BCP Policy

The NRB guidelines require banks to develop a board-approved BCP policy and appoint a senior bank officer as the head of BCP process. The BCP policy should incorporate detail procedures for prioritizing critical business functions, controlling identified risks, allocating resources and manpower, handling emergency incidents and reviewing the policy periodically.

BCP can be simple or complex depending on the size, scope, goals and objectives of the bank. The BCP policy should establish achievable goals and set clearly defined objectives and milestones to achieve this goal. The goals and the objectives should encompass all aspects of the plan including hazard prevention, risk mitigation, disaster preparedness, emergency response and recovery of the business processes. Short-term objectives are essential to the development of the plan while long-term objectives may require more significant planning, investment and expertise.

BCP is likely to achieve the greatest success when a senior officer within the bank is fully dedicated to completing the assessment and organizing efforts to follow-up on the required tasks. Keeping this in mind, the bank should appoint a BCP Coordinator who is responsible for putting together and maintaining a comprehensive BCP based on its business impact analysis, risk assessment and recovery objectives.

Next, a BCP Executive Team should be formulated at the headquarters level comprising of senior officers from various departments; especially those working in the critical business areas of the bank. Similar BCP teams should also be replicated in different branch offices in order to correspond the working and functioning of the BCP Executive Team.

Hazards and Risk Assessment

Hazards are events that can give rise to business disruption or an emergency situationNRB guidelines require that a BCP should consider all possible hazards including natural, man-made, security threats, human errors, regulatory requirements, dependencies created by outsourcing activities and operations in multiple countries, etc.

To identify hazards, you should gather information about natural or man-made emergencies that may arise in your local area, as well as emergencies those may be created by the interruption of the bank’s own operations.

There are a variety of sources to collect hazard information, such as employees working in different departments of your bank, local media, disaster reports, government organizations, academic institutions, nonprofit agencies, etc. Also, find out about any emergencies that have occurred in the past and gather information about other potential hazards related to: fire, explosion, hazardous materials, flood, landslide, blockade, telecommunication or computer system failure, power outage, construction failure, human error, fraud, etc. 

You should also assess how likely such an event is, how we are exposed, what our vulnerabilities are, what assets are at risk and how severe the hazards’ impact would be.

An institution-wide risk assessment looks at the probability and impact of a variety of specific threats that could cause a business disruption. The entire process will also allow you to prioritize risks and move accordingly in your bank’s emergency response, business continuity and recovery planning processes.

It makes more sense to focus your risk assessment on the critical business functions identified during business impact analysis. Remember, this is not a once off process and you should regularly improve and append your risk assessment matrix to keep it current and relevant. The BCP Coordinator should be made responsible for periodic update of the same.

Reducing Vulnerability

After gaining better understanding of the hazards that may impact your banking activities, you now also have a sense of where and why you are vulnerable to such impacts. The next step is to use this information to do what you can to reduce your vulnerabilities as far as possible. This involves identifying and implementing pre-emptive measures to reduce vulnerability, as well as assessing your ability to respond to emergencies. 

You need to consider how your bank and employees would respond to emergency events. This includes an assessment of the existing resources by asking questions, such as how quickly can you react? Do we have the skills and inter-organizational relationships to respond swiftly and effectively? Can we identify alternative operational procedures?

For instance, if a landslide obstructs an important road that is part of your distribution network; would you be able to use alternative distribution route or method? If intermittent fuel shortage is a risk; would it make sense to keep a stockpile for such occurrences? If there is a server fire in the facility; would you have quick backup available for your digital data?

One of the most effective ways to assure your bank’s recovery from an emergency is to involve your employees directly in preparing and planning for disasters. When assessing your human resources, consider what you have in place already and what you need to do to help prepare and train your employees.

You may also consider purchasing insurance products especially for the hazards with a high risk priority score in your risk assessment matrix, if such products are available in the market.

You should plan ahead in case the bank needs assistance from others in an emergency. It is recommended that you contact external organizations that may be able to help Just in Time, during or after a disaster.

In some cases, formal agreements such as a MOU may be helpful to define the business terms, relationship and communication with these service providers during an emergency. This may also include, for example, making agreements with other banks to continue serving your clients while your bank is transitioning to backup operations.

Emergency Response

Emergency response refers to the bank’s initial activities designed to mitigate a disaster’s immediate and short-term impacts. An Emergency Response Plan (ERP) should include specific guidelines and procedures for declaring an emergency, activating internal response, notifying staff, maintaining line of communication, deploying the BCP and recovery teams, etc. It should also clearly illustrate how and when to move to an alternate site, how to access data stored off site, who is responsible for what, etc. 

An ERP basically identifies the structures and preparations you need to make to respond effectively to emergencies. It describes the steps your bank would take to protect itself and its employees before, during and after an emergency.

In case of big disasters such as an earthquake, you cannot expect immediate assistance from the communities and/or from any professional responders. Therefore the bank should be prepared with some internal responders (with prepositioned equipment) who can conduct basic search and rescue till the professional responders arrive at your place.

If your employees are briefed about potential emergency situations and how to respond, their response will be more effective and they are less likely to be confused or scared. This calls for an effective crisis-communication plan so that all your employees clearly know their roles during a disaster, as well as the roles and responsibilities of key personnel at your facility. 

Although there may seem to be an overlap between the ERP and the BCP, bear in mind that the ERP focuses primarily on pre-emptive measures for disaster preparedness and response activities immediately after a disaster, while the BCP is primarily a business recovery and a rather long-term impact mitigation plan.

The bank should have a board- approved written ERP that is routinely reviewed, exercised, and updated periodically to ensure that the plan really works during real emergencies.

Moreover, the NRB guidelines require that the bank should develop appropriate ERP, including communication strategies and outsourced services, to ensure business continuity, control reputational risk and limit liability of service disruption. The ERP should, inter-alia, cover mechanism to identify incidence as soon as it occurs, recovery of e-banking system and services, communication strategy to address external party and media, procedure to alert related regulatory body, etc.